Configuring Transparent Interception with Fedora Core Linux and WCCPv2
Warning: Any example presented here is provided "as-is" with no support or guarantee of suitability. If you have any further questions about these examples please email the squid-users mailing list.
This configuration for a Fedora Core Linux 2.6.18 box running Squid and receiving WCCPv2 traffic through ip_gre. It is expected that another device will perform the WCCPv2 routing and forward it to this box for processing.
Fedora Core WCCPv2 configuration
The GRE packets are sourced from one of the IPs on the router - I'm guessing its the "Router Identifier". This may not be the local ethernet IP (so in this case it isn't 192.168.1.1.)
# Controls IP packet forwarding net.ipv4.ip_forward = 1 # Controls source route verification net.ipv4.conf.default.rp_filter = 0 # Do not accept source routing net.ipv4.conf.default.accept_source_route = 0
DEVICE=gre0 BOOTPROTO=static IPADDR=172.16.1.6 NETMASK=255.255.255.252 ONBOOT=yes IPV6INIT=no
By configuring the interface like this, it automatically comes up at boot, and the module is loaded automatically. I can additionally ifup or ifdown the interface at will. This is the standard Fedora way of configuring a GRE interface.
- I build customised kernels for my hardware, so I have this set in my kernel .config:
However you can optionally build the GRE tunnel into your kernel by selecting 'y' instead.
Fedora Core Intercept configuration
Then you need to redirect the packets coming in the gre0 interface to the Squid application.
-A PREROUTING -s 192.168.0.0/255.255.255.0 -d ! 192.168.0.0/255.255.255.0 -i gre0 -p tcp -m tcp --dport 80 -j DNAT --to-destination $SQUIDIP:3127
Squid Configuration File
http_port 3127 transparent wccp2_router $ROUTERIP # GRE forwarding wccp2_forwarding_method 1 # GRE return method wccp2_return_method 1 wccp2_service standard 0
From Squid-3.1 the magic numbers are now mostly gone. This should work and be clearer:
wccp2_forwarding_method gre wccp2_return_method gre
What does it all look like?
- my operating system runs a GRE tunnel which looks like this:
[root@tornado squid]# ifconfig gre0 gre0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:172.16.1.6 Mask:255.255.255.252 UP RUNNING NOARP MTU:1476 Metric:1 RX packets:449 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:20917 (20.4 KiB) TX bytes:0 (0.0 b)
- my router sees the cache engine, and tells me how much traffic it has switched through to the cache:
router#show ip wccp web-cache Global WCCP information: Router information: Router Identifier: 172.16.1.5 Protocol Version: 2.0 Service Identifier: web-cache Number of Service Group Clients: 1 Number of Service Group Routers: 1 Total Packets s/w Redirected: 1809 Process: 203 Fast: 1606 CEF: 0 Redirect access-list: -none- Total Packets Denied Redirect: 0 Total Packets Unassigned: 0 Group access-list: -none- Total Messages Denied to Group: 0 Total Authentication failures: 0 Total Bypassed Packets Received: 0 router# router#show ip wccp web-cache detail WCCP Client information: WCCP Client ID: 192.168.0.5 Protocol Version: 2.0 State: Usable Initial Hash Info: 00000000000000000000000000000000 00000000000000000000000000000000 Assigned Hash Info: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF Hash Allotment: 256 (100.00%) Packets s/w Redirected: 449 Connect Time: 13:51:42 Bypassed Packets Process: 0 Fast: 0 CEF: 0 router#